The background description provided here is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
A Botnet is a group of machines (each individual machine referred to as a “bot”) infected by malware and controlled by one or more Command and Control (CnC) servers, frequently unbeknownst to the machines' owners. The one or more CnC servers are used by a remote controller (referred to as a “botmaster” or “botherder”) to issue commands to the bots. Typical applications of Botnets include Distributed Denial-of-Service (DDoS) attacks, identity theft, click fraud, spreading spam or viruses, etc.
Botnets are known to use the Domain Name System (DNS) for a multitude of purposes, including (i) managing communication between the bots and CnC and (ii) frustrating Botnet detection efforts. For example, with regard detection avoidance, Botnets routinely employ techniques for rapidly changing the DNS information associated with infected machines. Such techniques include rapidly changing IP addresses and/or domain names associated with infected machines. A few well-known, DNS-based techniques for avoiding Botnet detection include Fast-Flux and Domain Generation Algorithms (DGAs). Accordingly, enhanced systems and methods for identifying Botnets are desired.